Security Risks to Consider When Deploying Containers on Docker

Docker – a platform for OS-level virtualization instances known as containers – has become a hugely popular infrastructure technology. Flexible containerization is completely changing the way we build and maintain applications at scale, with analyst group RedMonk identifying the large enterprise market as a key driving force.Towards the end of April, Docker CEO Ben Golub took to the stage at DockerCon to share user experiences and lessons learned but also to celebrate the platform’s booming success. One-third of all container deployments now take place in production environments, many of these in the form of rollouts spanning hundreds of hosts.In fact, when it comes to containerization, larger companies often lead the charge rather than lag behind; cloud monitoring firm Datadog found that corporate Docker adoption increased by 40 percent over the past year.With positivity and momentum of growth in mind, we must not forget one core priority in today’s ever-changing tech landscape: information security. Let’s take a look at five potential threats and strategies to help secure your container deployments.

Container concerns1. Malicious and vulnerable imagesThe Docker Hub registry hosts over 100,000 public container repositories, free of charge. Searching for WordPress, for instance, brings up the official (and most downloaded) repo but also a plethora of modified and adapted versions.That’s because anyone can publish a new repo on Docker Hub, so check that you’re familiar with the project maintainer before deploying. Running untested builds from spurious sources may lead to host instability, the unintentional introduction of vulnerable components, or even malicious code execution.In terms of alternatives, fresh on the scene is the official Docker Store and “Certified” program that offers a variety of assured and deployment-ready packages. Paid plans on the Hub feature a “Security Scanning” tool that can check images for known vulnerabilities; trusted third-parties may also provide their own container registries with repository scanning built in.2. IAM breachesIdentity and access management is a term closely associated with modern cloud technology. We can look to the Gartner glossary for a brief refresher:“IAM is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. [It] addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments […]”Cloud providers, such as Amazon Web Services, aim to provide hardened IAM role structures by default. These can be used in tandem with your Elastic Compute Cloud (EC2) instances or applied to another provider’s implementation to ensure your users have been issued the appropriate access rights as per the Principle of Least Privilege.When deploying private containers or those developed in-house, an additional IAM concern stems from ensuring your registry is sufficiently protected. Two-factor authentication and single sign-on integration can bolster your security and help keep malicious actors at bay.3. Excess resource usageBy default, a Docker container has no resource constraints. As a result, actively deploying containers without resource limits could lead to severely degraded host performance. Make sure to set limits on memory, bandwidth and disk usage (block I/O) to mitigate performance issues, which could be caused by malicious code (such as denial of service code execution) or host misconfiguration.4. Container breakoutsAn adversary that gains access to one of your containers should not be able to move laterally to other containers or the Docker host. However, Docker is evolving quickly and privilege escalation exploits may arise, so take care to build infrastructure with a layered defense-in-depth approach in mind.Albeit only affecting users running containers with root privileges (not recommended), consider the Docker Engine 0.11 container breakout as one example. Proof of concept code was made public on June 18, 2014, and transparently addressed by the Docker team soon afterwards.On a side-note, Docker supports the responsible disclosure of security vulnerabilities, so reach out to [email protected] if you have details of a vulnerability affecting a Docker product or service.5. Orchestration securityWhile this article centers around securing Docker containers, you should also take steps to protect your orchestration platform and its components. Orchestration involves the management and automation of tasks, such as container clustering and scheduling, with companies looking to tools like Kubernetes and Mesos to manage these in an efficient manner.Further readingSecurity Risks and Benefits of Docker Application Containers, Lenny ZeltserConsidering Docker? Consider Security First, Owen Lystrup (Cisco)Six Ways to Secure Your Docker Containers, Chris Tozzi (Sumo Logic)

About the Author:Yasin Soliman lives and breathes information security. In addition to working as an independent research analyst, Yasin writes for the award-winning site Graham Cluley Security News. You can find him on Twitter at @SecurityYasin.Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.